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Abstract — A unique decoding algorithm for general AG codes, 
namely multipoint evaluation codes on algebraic curves, is 
presented. It is a natural generalization of the previous decoding 
algorithm which was only for one-point AG codes. As such, it 
retains the same advantages of fast speed and regular structure 
with the previous algorithm. Compared with other known de- 
coding algorithms for general AG codes, it is much simpler in 
its description and implementation. 

Index Terms — Algebraic geometry code, decoding algorithm, 
interpolation, Grobner base. 

I. Introduction 

Goppa (T) was the first to define linear error-correcting 
codes on algebraic curves. For a divisor G whose support is 
disjoint from a set of rational points on the curve, divisor D 
being the sum of those rational points, he defined the eval- 
uation code Cc(D,G) and the differential code Cq(D,G), 
the latter being the dual of the former. In the subsequent vast 
research works on Goppa's codes, now called AG codes, the 
focus was often on the dual of the evaluation code, that is, the 
differential code. The reason seems to be nothing else but the 
first successful decoding algorithm for AG code 12 was for 
the dual of the evaluation codes. Thus a lot of effort was put 
into finding curves with many rational points and thereon to 
construct differential codes with good parameters. To estimate 
the minimum distance of the codes, various lower bounds have 
been developed. For much the same reason, so-called one- 
point codes that assume G — mQ for some positive integer 
m and a rational point Q are considered most often in the 
literature. These one-point differential codes can be decoded 
efficiently by the syndrome-based Berlekamp-Massey-Sakata 
algorithm with the Feng-Rao majority voting jj). 

Guruswami and Sudan's list decoding [4| provided a fresh 
point of view that brought the evaluation codes back to the 
center. Using interpolation, they showed that evaluation codes 
can be decoded successfully beyond the capacity of the previ- 
ous decoding algorithms for differential codes. Following this 
way of approaching the decoding problem of AG codes, the 
authors [5 1 reinterpreted Duursma's idea of the majority voting 
[6 1 in the context of the interpolation decoding, and introduced 
a unique decoding algorithm for one-point evaluation codes 
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on Miura-Kamiya plane curves. The result was a combination 
of nice features of the interpolation-based list decoding and 
the performance of the classical syndrome decoding with the 
majority voting scheme. Shortly thereafter, Geil et al. Q 
generalized the result for arbitrary one-point AG codes and 
for list decoding. The goal of this paper is to note that 
the basic idea of (5) is more widely applicable, and present 
an interpolation-based unique decoding algorithm for general 
evaluation AG codes. By general evaluation AG codes, we 
mean the evaluation codes Cc{D, G) with an arbitrary divisor 
G, with the premise that there exists a rational point Q not 
in the support of D. These codes are often called multipoint 
evaluation codes. Prominent examples would be the two-point 
codes on maximal curves such as Hermitian, Suzuki, and Klein 
curves. 

We find that the impact of the interpolation-based list de- 
coding has already made Beelen and H0holdt [8| to construct 
a unique decoding algorithm that is very similar to ours. Their 
algorithm also adopts an iterative method using majority vot- 
ing to find the interpolation polynomial that gives the corrected 
codeword. The major difference of our algorithm is that we 
do not need differentials to construct the algorithm and use 
Lagrange interpolation instead of syndromes computed from 
the received vector, and thus directly compute the coefficients, 
corresponding to the sent message, by majority voting. Thus 
our algorithm is much simpler to present and more streamlined 
to implement and deploy in practice. Fujisawa and Sakata [9| 
also presented a fast decoding algorithm for multipoint general 
AG codes using a variant of the classical Berlekamp-Massey- 
Sakata algorithm, but only to correct errors short of the Goppa 
bound. Their method, originally due to Drake and Matthews 
[10 1, is to embed the multipoint code isometrically into a one- 
point code. 

The core ideas of the present work that we add to are 
all contained in the preliminary materials in Section [II] For 
general facts and notations for algebraic curves and functions 
fields, we refer to IfTTI . Once the stage set, we describe in 
Section [III] the decoding algorithm in a parallel fashion to (5). 
In Section [IV] several examples and experimental results are 
provided. In the final Section, we conclude with some remarks. 

II. Preliminaries 

Let X be a smooth geometrically irreducible projective 
curve defined over a finite field F. Let P\ , P2, . . . , P n and 
Q be distinct rational points on X, and define D = Pi + Pi + 

h P n . Let G be an arbitrary divisor on X, whose support 

is disjoint from that of D, but allowed to include Q. 

Let ¥(X) be the function field of X over F. Let 



R = (J C(sQ) C ¥(X) 
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be the ring of all functions on X which have no poles other 
than Q. For / G R, let p(f) = — i>q(/). The Weierstrass 
semigroup at Q is then 

A = {p(/) \feR}. 

It is well-known that A is a numerical semigroup whose 
number of gaps is the genus g of X. Let 7 be the smallest 
positive integer in A, and let p(x) = 7 with some x G R. For 
each < i < 7, let a; be the smallest integer such that a,i = i 
(mod 7) and p(yi) — at for some yi G i?. Then, using the 
properties of p : R — > Z>o inherited from the valuation vq, we 
can show that {yo, yi, • ■ • > 2/7-1} forms a basis of i? as a free 
module of rank 7 over ¥[x}. Hence {a^y, | fc > 0, < i < 7} 
is a vector space basis of R over F, and will be called the 
monomials of R. The set {a; | < i < 7} is usually referred 
to as the Apery set of A. 
Now let 

00 

R= |J C(sQ + G) CF(I), 

s— — 00 

which is clearly a module over i?. For / 6 R, let (5(/) denote 
the smallest integer s such that / G £(sQ + G). Note that 
simply <5(/) = — uq(/) — vq(G). Thus the map 5 : i£ — > Z 
satisfies the following properties: 

(1) £(/) > -|G| for / G R, where |G| =_deg(G). 

(2) S(fg) = p(f) + 5(g) for / G R, g G P. 

(3) <5(/ + g) > max{S(f),S(g)} for f,g e R. The equality 
holds if $(/) / (5(g). 

(4) If (5(/) = 5(g), then there is a unique c G F such that 
5(f) > S(f - eg). 

Let 

A = {*(/) I / G -R} = {s ,Si,S2,...}. 

Then A + A = A, and hence A contains all large enough 
integers. Therefore for each < i < 7, there exists the 
smallest integer hi such that hi = i (mod 7) and S(y~i) = hi 
for some y s ; G R. Then using the properties of 5, we easily 
see that {yi | < i < 7} forms a basis of R as a free 
module of rank 7 over F[x]. For s G A, if i = s mod 7 and 

= (s — bi)/j > 0, define ip s = x k yi. Note that 5((p s ) = s. 
Thus {(p s I s G A} = {x k yi I k > 0, < i < 7} is a basis of 
J? over F, and will be called the monomials of R. 

Let us consider the i?-module 

Rz © R = {fz + g I / G R, g G R}, 

where z is a variable. Note that it is also a free F[x] -module 
of rank 27 with free basis 

K = {y i z 1 y i I < i < 7}. 

Thus every element in Rz © R can be written as a unique 
F-linear combination of the monomials in 

n = {x k Vi z, x k yi I k > 0, < i < 7}. 

For the monomials, we will use the notations 

degj. (x k yiz) = k, deg y (x k y l z) = i, deg z (x fe y i z) = 1, 
deg x (x k Vi) = k : fegy(x k Vi) = i, deg 2 (a; fe y) = 0. 



We now briefly review the Grobner basis theory on Rz © R, 
regarded as a free module of rank 27 over ¥[x]. First we define 
monomial order > s . For an integer s, the weighted degree of 
a polynomial fz + g G Rz © R is defined as 

Ss(fz + g) = max{p(/) + s, 5(g)}. 

In particular, for monomials, we have 

5 s (x k yiz) = 7& + a; + s, 

<5 s (a; fe y l ) = <5(^ fe y l ) = ik + h. 

Then <5 S induces the weighted degree order > s on il, where 
we break ties by declaring the monomial with z precedes the 
other without z. For / G Rz®R, the notations lt s (/), lm s (/), 
and lc s (/) are used to denote respectively the leading term, 
the leading monomial, and the leading coefficient, with respect 
to > s . If / G R, we may omit the superfluous s from these 
notations. Finally there is a simple criterion to recognize a 
Grobner basis of an F[x]-submodule of Rz © R. 

Proposition 1. Let S be a submodule of Rz © R, and B 

generate S over ¥[x]. If elements of B have leading terms 
with respect to > s that are ¥[x]-multiples of distinct elements 
of K, then B is a Grobner basis of S with respect to > s . If 
this is the case, B is also a free basis of S. 

For more discussion on Proposition [TJ and on the general 
theory of Grobner bases, we refer to fl2l . 
The evaluation map 

'■v : • <p h> (^(Pi), ¥>(P 2 ), • • • , <p(P n )) 

is linear over F. Thus the AG code 

C = Cc(D,G) = cv(C(G)) 

is a linear code of length n over F. Let us assume \G\ < n 
so that the functions in C(G) correspond one-to-one with the 
codewords in C under ev. Note that {ip s \ s G A, s < 0} 
is a basis of C(G) as a vector space over F. Hence the 
dimension of C is k = \{s G A | s < 0}|. So {s G 
A I s < 0} = {sq, Si, . . . , Sfc_i}. We will also assume 
the nonsystematic encoding by evaluation. Thus a message 
ui = (uj So ,uj Si , . . . ,ui Sk l ) G F fe is encoded to the codeword 
ev(p) G C where 

fc-i 

p = y^sifsj € C(G). 

i=0 

Note that the map cv is surjective onto F". Indeed by the 
Riemann-Roch theorem, we see that ev(C(sQ + G)) = ¥ n for 
s > n — \G\ + 2g — 1. Let hi G R be such that ev(hi) is the 
ith element of the standard basis of F™. Let J be the kernel 
of ev. Note that J is a submodule of R over R, and also over 
¥[x]. Let {rji \ < i < 7} be a Grobner basis of J over F[x] 
such that degg(lt(r]i)) = i. 

Proposition 2. We have 

^ deg x (lt(r?i)) = dim ¥ R/J = n. 

0<i<i 
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Proof: The first equality is a standard result of the 
Grobner basis theory. To see the second equality, note that 
for all large enough s, 

n 

dim F R/J = dim F C(sQ + G)/C{sQ + G - ^ P\) = n. 

i=l 

□ 

Now let v G F™ be the received vector. Suppose c G C is 
such that v = c + e, where c = ev(/x) for a unique 

At = X w s ^ s G -C(G). 

s6A,s<0 

The goal of a decoding algorithm is to recover /x, and also c 
if necessary, from v. We consider the interpolation module 

Iv = {fz + g G Rz © R | /(PiH + ff (Pi) = 0, 1 < i < n). 

Using the Grobner basis theory, we will extract p from I v . 
Let 

n 
i=l 

so that ev(/i„) = v. Then J„ = R(z — h v ) + J. Hence by the 
criterion in Proposition Q] the set 

{yi(z-h v ),rii\0<i<j} (1) 

is a Grobner basis of I v with respect to >s(h v )- 
The ideal of the error vector e 

oo 

Je = (J £(sQ -^P,)cJ? 

is also a submodule of R over F[x], and has a Grobner basis 
{fi | < i < 7} with respect to > s such that deg„(lt(ej)) = i. 
We prove the following by the same argument as before. 

Proposition 3. We have 

deg x (lt(ej)) = dim F R/J e = wt(e). 

0<i<7 

III. Decoding Algorithm 

Notice that this section is adapted from the corresponding 
section in [5] for the present general setup, with some changes 
in notations. Some minor errors are also corrected. 



A. Theory 

The basic idea of our decoding algorithm is to iteratively 
compute the coefficients lj s of the function p. For s > 0, 
define = v, cW = c, and p 1 --^ = p. For s G A, s < 0, 
define 

C («-U = c W- eV (a; s ^), 

w (s_1) -ev(w^ s ), 

and for s A, s < 0, let u^ 1 ' = u< s ), c^" 1 ) = c^, and 
^C*- 1 ) = ^W, Note that 



for all s. Let fiW = {.g t (s) , /. ( (s) < i < 7}, 



,(*) 



0<j<7 0<j<7 
0<j<7 0<j<7 



G £(sQ + G), c W=evOiW), w 



be a Grobner basis of I v (,) with respect to > s satisfying the 
criterion lt,^. ) = lt^ij/,) and lt s (/ i (s) ) = lt^a,,*^), 
where aij,bi.j,aj,dij G F[x], for which we suppress the 
necessary superscript (s) for legibility. 

Lemma 4. We have 

X deg(a M ) + X deg(d M ) = n - 

0<i<7 0<i<7 

Proof: As £> ( s ) is a Grobner basis of Z^fs) , 
X deg(a M ) + X deg(d M ) = dim F (i?z © R)/I v(s) . 

0<i<7 0<i<7 

Recall that I v ( 3 ) = R(z — h v ( S )) + J. Hence dim F (i?z © 
R)/I V ( S ) = dim F Rj J — n. □ 

Lemma 5. For < i < 7, we /iave p(ai^yi) < p(ei), that is, 
deg(a M ) < deg a .(lt(e i )). 

Proof: Since J e (z — fi^ s ') C we have ej(z — /iW) G 
4( S) . Note that lt s (e ( (z - = lt s (e;z). As B< s ) is a 

Grobner basis of /^(s), the leading term \t s (eiz) must be an 
F[x] -multiple of lt s (f^). Therefore 5 s {a,i^yiz) < S s (eiz) so 
that p(a iti yi) < p(ti). □ 

Lemma 6. For < i < 7, we /zave 5{di^y~i) < S(j]i), that is 
deg(d ijI ) < deg K (lt(77i)). 

Proof: As i?' s ^ is a Grobner basis of Z u(S ) and J C , 

it follows that It (77^ ) is an F [x] -multiple of lt s (ff|*'). Hence 

S(di,iVi) <S(Vi)- □ 
Now let id be an element of F. For each < i < 7, let 

& = 9i S) ( z + /j = fi(z + Wlfs) 

where the parentheses denote substitution of the variable z. 
The automorphism of the module Rz © R induced by the 
substitution z 1— > z + w<,5 s preserves leading terms with respect 
to > s . Therefore the set B — {gi, fa \ < i < 7} is a Grobner 
basis of 

I = {f{z + wip s ) I / G I vW } 

with respect to > s . However, with respect to > s — 1, B may 
not be a Grobner basis of /. The following procedure modifies 
B to obtain a Grobner basis of / with respect to > s -i- 

For each < i < 7, there are unique integers < i' < 7 
and hi satisfying 

p{fli,iVi) + s = jki + h> (2) 
such that p{ai y iUi) + s G A if and only if fcj > 0. Let 

Cj = deg(rfi' ;i /) - hi, Cj = max{ci, 0} (3) 

and 

= , p-i = ic(a it iyiip s ). (4) 

Pi 
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where the bracket notation f[x k ] refers to the coefficient of 
the term x k in /. Observe that i' = (i + s) mod 7, and hence 
the map i i-)- i' is a permutation of {0, 1, . . . , 7 — 1} and that 
the integer a is defined such that 

j Ci = 5{d v #y v ) - p{a i:l yi) - s. (5) 

Now if Wi = w, let 

9v = &> , fi = fi (6) 
and if Wi 7^ w and Cj > 0, let 

Pi(w - Wi) A 



and if tt^ 7^ w and Cj < 0, let 



0) 
v], 



~ _ - f — f _ ^ W ~ -Ci - 

Qi' — Qi 1 1 Ji — Ji r g \ x 9i' ■, 



(7) 



(8) 



where v\ s ^ = lc(dj,t)- 

Proposition 7. The set B = {gi, fi\0<i<j}isa Grobner 
basis of I with respect to > s _i. 



Proof: Let < i < 7. We consider the pair 



fji' 



E 



iVj' 



E d 



V ,03 



E 



wci> : jyjtp s , 



0<j<7 0<j<7 0<j<7 

fi= E a idyj Z + E Kjyj + E "'"<.;.".. r-- 

0<j<7 0<j<7 0<j<7 

By the assumption that is a Grobner basis of I V ( S ) with 
respect to > s , we have for < j < 7, 

5{di>,i>yi>) > S s (cir t jyjz) > S(wci' tj yjip s ) 

and for < j < 7 with j ^ i', 8(d i >^y il ) > 8{d Vtj yj). 
Therefore 

\t s -i{gi>) = H d i',i'Vi')- 

Similarly we have for < j < 7 with j 7^ i, 

5 s {ai,iyiZ) > !>s{ai,jyjz) > Siwciijyjips) 

and for < j < 7 with j 7^ i', 5 s (a,i t iyiz) > 5(bijy~j) by the 
definition of i' in (|2). Note that 

S s (ai,iyiz) > 5{bi^yi> + wa iti yiip s ) (9) 

where the inequality is strict if and only if w = Wi by the 
definition of wi in (|4j. Hence if w = Wi, then lt s _i(/j) = 
\t s -i{a iti yiz) and if w ^ w t , then lt s _i(/i) = \t(b i>v y v + 
wa iti yi(p s ). 

Now we consider the set B with respect to > s _i. For the 
case that w; = w, by ©, 

lt s -i(.9 4 ') = lt s -i(ffi') = lt(di',i'3/i')> 
lt s -i(/i) = lt s _i(/i) = Its-iCa^jy^). 
In the case that Wi ^ w and Cj > 0, we have (|7). Observe that 
lt s _i(x Ci / i ) = a; Cl \t(bi^yi, + wa^yiPs), 
lt s -i(ffi') = lt(dj' 
and by © and ©, 

jCi + S(b iti >yi> +wa iti yi(p s ) = 'yci + S s (a ii iy i z) = S(d v>il y v ). 



(10) 



Moreover 

lc s _i(a; Ci /i) = lc^i'^j/ + wa,i,iyi{p a ) = -piWi + /i^w 
= lc s _i( ^ ft/)- 

This implies that there is a canceling of the leading coefficients 
in ©. Therefore, together with (0, we have 



(11) 



lt s -i(/i) = lt s _i(a; Ci a i)< y < 2), 

lt s -i(.g 4 ') = lt s _i(/i) = lt(6i,i'yi' + wa,i t iynp s ). 

For the case that Wi ^ w and Q < 0, we have dHJ. By almost 
the same argument as above, we can show that 

lt s -i(.9i') = lt(di',i>y~i>), lt s -i(fi) =\t s -i(a,i,iyiz). (12) 

Finally it is clear that B still generates the module /. From 
([Tol l. (fTTt . and ( fT2l . we see that B is a Grobner basis of I 
with respect to > s _i, by the criterion in Proposition Q] □ 
For the following, it is important to keep in mind that the 
values Wi, Ci are determined only by B^ and independent of 
w although B is clearly dependent on w. 

Lemma 8. Let 0<i<j.lfwi^w, then 
Sa-iQji') = 8(di>,i>yi>) - 7Cj, 
Ss-x(fi) = 5 s -i{ai,iyiz) + 7c». 



(13) 



Proof Suppose 7^ u>. Let us show the first equation. 
If Ci > 0, then 

£ s -i(<?i') = (5s— 1 (J-i) = 5(bi^yi, + wai t iynp s ) 
= 5 s (a iA yiz) = 8(d V yyi>) - jc u 

by (HD, ©, and ©. If c 4 < 0, then <5 s -i(ffi') = 5{d VyV y v ) 
by (I12t , The second equation is clear by (fTTT i and (I12t , □ 

Lemma 9. For i wi//z 7^ o; s , 

p(ej) - p{a l ^y i ) > 7c l 

one/ 

min{p(ei) + s,<5(^-)} > (5(di- ti /y v ). 

Proof: Suppose Wi 7^ ui s . Then let us set w — uj s . Since 
J e (z - uj s ip s - p^-^) C /„(,), we have J e (z - ^( s_1 )) C 
/. In particular, ei{z - p( s ~^) G /. Note that lt s _i(e 4 (z - 
^( s -!))) = \t s _ l (e i z). As _B is a Grobner basis of / with 
respect to > s _i and deg y (ei) = i, lt s _i(eiz) must be an 
F[x] -multiple of lt s _i(/i). With ([BJ, this implies pfa) > 
p{ai^yi) + j5i. Then by ©, 

p(ei) - p(a,i^yi) > jCi > jCi = S(di>^yi>) - p{a,isyi) - s. 

Hence p(ti) + s > 8(di' ,i>y~i>)- With Lemma [6] this implies 
the second inequality. □ 

Lemma 10. For i with Wi = u> s , 

min{p(e i ) + s^fa')} > 5{d l >^y i/ ) - 7c, 

Proof: Suppose w, = uj s . Then choose i«£F such that 
w uj s . Since J e (z — ui s (p s — p^^ 1 ^) C /„(»), we have 

J e (z - (lu s - w)ip s - p {s ~ 1} ) C /. 
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In particular, Ci(z — (u) a —w)(p s — <E I- As uj s — w =/= 0, 

we have 

lt s _i(ej(2 - (uj s - w)tf s - ^i (s_1) )) = lt((cj s - w)ei<p s ). 

By the definition of z' and as B is a Grobner basis of / with 
respect to > s _i, lt((w s — w)eiip s ) must be an W[x] -multiple of 
lt s -i(<?i')' Then p(ei) + s > S(d i ^ i 'y i/ )-jc i by ([13). Finally, 
S(Vi') > ${di<,i<yi>) > <5(<V,i'2/i') - jc { by Lemma |6] □ 

Proposition 11. The condition 

E max{<5(77i>) - p(yi) - s,p(ei) - p(yi)} > 2jwt(e) 

0<i<7 

implies J2 Wi =u, a > E„,^ s c*. 
Proof: Lemmas [9] and [10] imply 

E ICi > E 5{d i i > i>y i i) -min{p(e i ) + s,S(r) i ')} 



Wi—UJ s Wi—UJ s 



> 2J 8(di>,i>yi>) - min{p(e;) + s, 

0<i<7 



and 



E 7^ < E ~ P^hiVi) 

< E P( e *) - p{ai,iVi)- 

0<i<7 

Hence 

E 7 5 * ~ E 7 ^ - X! P( a i,iVi) + S (dt',i'Vi') 
Wi=oj s Wi=£u B 0<i<7 

- min{2p(e,;) + s,p(ei) + 
= E ^Vi') +p(Vi) -min{2p(ei) + s,p(e;) + <%</)} 

0<i<7 

= ^ max{<5(r?i/)+p(y i )-2p(e i )-s,p(j/ < )-p(e i )} 

0<i<7 

= X max{<y(i7 i /)-p(j/i)-s,p(ej)-p(j/ i )}-27wt(e) 

0<i<7 

where we used the equality 

E p(ai,iyi) + 8(<k> j'ih') 

0<i<7 

= X! 7deg(a i) i)+7deg(d i) i) + p(y<) + *(j/t) 

0<i<7 

0<i<7 0<i<7 

shown by Lemma [4] and Proposition [2] and the equality 

E 2(p(e i )-p(y i ))= ^ 2 7 deg ;c (e l ) =2 7 wt(e) 

0<i<7 0<i<7 

shown by Proposition [3] □ 
Let 

= - E max{5(^/) - p(yi) - s,0} 

7 0<i<7 

for s G A. s < 0. Then define 

c^LO = mm{v(s) | s £ A, s < 0}. 



Proposition 12. 77ze condition v(s) > 2wt(e) implies 

E > e 

Proof: Just note that p(ej) — p(y%) > for < i < 7. □ 
Proposition 13. We have e^o > ™ — 
Proq/: Note that 

v(s) = - E max{<5(77i') - p( yi ) - s ,0} 

7 0<i<7 



' 0<i<7 



' 0<i<7 

To show the last equality, pick any / in R. Then 

~ E (*(»*) -p(»)) 



0<i<7 
1 

7 



i X (7deg^ + <*(/)) 

0<i<7 

E de g,(^)- E deg x (^/) + <5(/) 

0<i<7 0<i<7 

dim F fl/J - dim F R/(Rf) + 5(f) 
n-\G\. 



since 



dim F i?/CR/) = dim F £((s + 6(f))Q + G)/C{sQ)f 
= \G\+S(f) 

for all large enough s. □ 
B. Algorithm 

With the input v G F™ the received vector, the algorithm 
below outputs the message (u So ,uj Si , . . . ,uj Sk l ) if 2wt(e) < 
dho- 

a) Initialization: Let N — 6(h v ), and let be the 
Grobner basis of with respect to >n, 

{yi(z - h v ),i]i I < i < 7}. 

Let w s = for s with AT < s < 0, s S A. The following steps 
Pairing, Voting, and Rebasing are iterated for s decreasing 
from to so. 

b) Pairing: Suppose = {g\ s \ f^ s) < i < 7} is 
a Grobner basis of with respect to > s where 

9I = E c ^yj z + E 

0<j<7 0<j<-y 

= E + E bi <jy~i 

0<j<7 0<j<7 

and let u\ s = \c(di^). For < i < 7, let i' = (i + s) mod 7, 

fe, = dcg(a^ 4 ) + (a 2 + s - b v )/^, and c, = Aeg(d t > ^) - k t . 
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c) Voting: If s > or s ^ A, then for i with ki > 0, let 

Wj = -bi,i'[x ki ], Mi = 1 

and for i with fcj < 0, let Wi = 0, /i, = 1. Let io = in both 
cases. 

If s < and s£ A, then for each i, let 

fci.-i' \x ki ] 



ti'i 



and let cj = max{ci,0}, and let w be the element of F with 
the largest 

W — Wi 

and let w s = w. 

d) Rebasing: For each i, do the following. If Wi — w, 
then let 

91 



= 9i> '(z + wip s ) 



I, 



(s-l) _ As) 



(14) 



and let v\f ^ = v\f\ If Wi ^ w and Ci > 0, then let 



>-i) _ ,(«) 



f(*-l) _ „Ci f{») 



x Ci f> >(z + wip s ) 

73 — g\,\z + wip s ) 

v), 



(15) 



and let v\f = fXi(w — Wi). If Wi ^ w and a < 0, then let 

(s-l) (s) / | \ 



J t 



(s-l) _ As) 



fl s >(z + w<p s ) 

flj(w - Wj) ( S ) 

73 x 'gy(z + w(p s ) 



(16) 



and let 4' _1) = v\f ] . Let S^ 1 ) = {g\ s ~ l) , f}°~ 1J | < 
i < 7}. 

e) Output: After the iterations, output the recovered 
message {w So ,w Sl ,..., w Sk _ 1 ). 

We now give an overview of the algorithm. Note that the 
decoding algorithm is in one of two phases while s decreases 
from N to sq. The first phase is when s > or s ^ A, and 
the second phase is when s < 0, s G A. In the first phase, 
the Grobner basis of I v ( a ) with respect to > s is updated 
such that £>( s_1 ) is a Grobner basis of I v (s-i) with respect to 
> s -i where 

„(-!)= „(«). 

In the second phase, the algorithm determines w s by majority 
voting and updates I?M such that B( s_1 ) is a Grobner basis 
of i„(s-i) with respect to > s _i where 

= - ev(w s <p s )- 

When the algorithm terminates, w s are determined for all s G 
A,s < 0. 

Proposition 14. For Af > s > s > S^ s ) /i a Grobner 

basis of Zy( s ) w/f/i respect to > s . 

Proof: This is proved by induction on s. For s = iV, this 
is true by (Q3. Now our induction assumption is that this is 



(s-l) As-1) 



true for s. In the second phase, we already saw in Proposition 
[7] that £?( s_1 ) is a Grobner basis of I v ^-i). So it remains to 
consider the first phase. The proof for this case is similar to 
that of Proposition [7] 

Suppose s > or s £ A. Let < i < 7. Recall 



0<j<-) 0<i<7 



0<j<7 0<j<7 

By the induction assumption, we have for < j < 7, 



$(di>,i>yi>) > 5 s (ci>jyjz) = p{c V jyj) + s 

and for < j < 7 with j ± i', 8(di>yy~i<) > 5(di> ; jy~j). 
Therefore lt s _i(g|, ) = \t{dii ^tjii). Similarly, by the in- 
duction assumption, we have for < j < 7 with j ^ i, 

5 8 {a iy iyiz) > S s (a i:] yjz) and for < j < 7 with j ^ i', 
5 s {a iti yiz) > S(b itj yj). 
Note that 

S s (ai,iyiz) > 5(bi ti >y~i>) (17) 

where the inequality is strict except when p(a,i^yi)+s G A and 
bi,i<[x ki ] 7^ 0. Recall that Wi = if and only if piai^yi) + 
s £ A or p(di^yi) + s G A but = 0. Therefore if 

Wi = 0, then lt s _i(/f s) ) = lt s - 1 (a t , i y i z) and if ^ 0, then 

it._i(/i a) ) = lt^fcO- 

Now in the case when w, = 0, by (fT4l > and (fTTI i, 

it-^rV) = it s _i(4 s) ) = it(di',<'W'). 

lt s _ 1 (/f- 1) ) = lt s _i(/ t (s) ) = lt._ 1 (o i ,,y 4 2!). 
In the case when Wi 7^ and c, > 0, by (fT5l l, 

( s -i) _ ,(») _ c, „( s ) [Mm (s) 

SJi' — Ji i Ji — x Ji ' ( s ) !Ji> ■ 

Observe that 

lt s -x(x c *f!> s) ) = x c * lt(bi, v y v ), lt.-!^) = lt{d VtV y v ), 

7Q + 8{bi fV y v ) = 7c t + (5 s (a 4!i y 4 z) = 8(d v 
and by the equality in (fTTI i, 

Ic,_i(a; c */ < w )=lc(6 iji /y i /) 



lc *-i(— Si- )• 



This implies lt s _i(// s x) ) = lt s -i(x c * a iti yiz). 

Finally in the case when Wi ^ and a < 0, by ( fToT l. 

( s -l) _ («) .(,-1) _ .(.) (Mm Ci (3) 
Hi' —Hi' t Ji —Ji~ r ( s \ ^ !Ji' ■ 

Then we can show that lt s _i(/ i ( ' S ) = lt a -i(ai iyiz) by the 
same argument as when c, > 0. 

Hence all in all the set B^^ 1 ^ is a Grobner basis of I„o-i) 
with respect to > s _i also in the first phase. □ 

Proposition 15. If 2wt(e) < c^lo, f^en w s — uj s for all s G 

A, s < 0. Hence 

seA,s<o 

Proo/: If 2wt(e) < d LO , then Propositions [12] and [14] 
imply u) s = a; s for all s G A. s < 0. □ 
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C. Complexity 

Recall that the main data with which the decoding algorithm 
works is essentially 27 x 27 array of polynomials in F[x] that 
represents B^ s \ Each of the 27 rows of the array are again 
viewed as pairs of vectors in F[a;] 7 . To optimize the speed 
complexity of the algorithm, it is necessary to precompute 
and store required information as vectors in F[x] 7 before the 
error correction processing for the received vector v begins. 

For the Initialization step, we precompute hi for 1 < i < n 
and j]i for < i < 7 in the vector form. Then for given v, h v is 
computed just as an F-linear combination of the vectors. Thus 
the setup of the initial Grobner basis B^ N > is straightforward. 

In the Rebasing step, the most intensive computation is 
the substitution of z with z + wip s . As cp s is in the form 
x k yi, the computation is facilitated if yiijj for < i,j < 7 
is precomputed in the vector form. The necessity of the 
precomputation of yiijj was first noted in [13] for the case 
of general one-point codes. 

If the output of the algorithm at the Output step should be 
the corrected codeword, say, under systematic encoding, then 
precomputation of the vectors ev((p Si ) in F™ for < i < 
k — 1, essentially the generator matrix of the code C, would 
be necessary. 

Proposition 16. Lagrange basis polynomial hi can be chosen 
such that the maximum degree of the polynomials in the vector 
form of hi is bounded by 

N h = L(n + 2. 9 -l)/ 7 J. 

Proof: By the Riemann-Roch, we can choose hi in 

CisQ + G + Pt- J2 Pj)/C{sQ + G- J2 P i) 

if s+\G\-n = 2g - 1, and hence 8 (hi) <n- \G\ + 2g - 1. 
Suppose hi = So<i< 7 h ijVi with hij e F N- Then 

7 deg(h tj ) + 8(yj) < n - \G\ +2g - 1 
Since 8(yf) > —\G\, we have deg(hij) < (n + 2g — l)ft. □ 

Proposition 17. The maximum degree of the polynomials in 
the vector form of rji is bounded by 

N,= [(n + g)ft\. 

Proof: Since dimjr R/J — n, there can be no more than 
n monomials preceding lm^), which implies 8(r/i) < s n . 
Recall that A + So C A. Therefore s n < sq + n + g. Suppose 
that m = X)o<j< 7 VijVj with Vij e F N- Then 

7deg(7?ij) + 8%) < 8(m) < s + n + g. 

Since S(y~j) > s , we have deg^j) < (n + g)/j. □ 

Proposition 18. The maximum degree of the polynomials in 
the 27 x 27 array during an execution is bounded by 

iVdcg = 1 + L(" + 4 .g - 2)/ 7 J 

if g > 0. If g = 0, then it is bounded by n. 

Proof: First observe that the behavior of the algorithm is 
such that the maximum of 8(f) for / g is monotonically 



decreasing through the iterations. So it suffices to consider 
8(r)i) and 8(yih v ) in the initial basis B^ N \ Since 8 (hi) < 
n— \G\ + 2g— 1 and p(yi) — a, < 25 + 7— 1 by the definition 
of a,, we have 

S(yih v ) <7 + n-|G| + 4 5 -2 

On the other hand, 8(i~ii) < sq + n + g. Hence during the 
execution, we have for / 6 B^ s \ 

8(f) = max{7 + n - \G\ + 4g - 2, s + n + g}, 

from which we deduce that the maximum degree of the 
polynomials in the array is bounded by 

max{l + (n + Ag - 2) ft, (n + g)ft}, 

where the former is larger if g > 0. If g — 0, the latter is 
larger, and is n. □ 

Proposition 19. The number of iterations is at most 

Niter = n + 2g, 

Proof: The algorithm iterates from 8(h v ) to s . Since 
8(h v ) < ??. — |G| + 2<7 — 1 and s > — | C | , the number of 
iterations is at most 8(h v ) — sq + 1 < n+ 2g. □ 

Proposition 20. If g > 0, an execution of the decoding 
algorithm takes 0((n + 4<j , )(n + 2g)g) multiplications. For 
g = 0, it takes 0(n 2 ) multiplications. The implicit constant is 
absolute. 

Proof: For the first phase iteration, the update for each 
pair of the upper and lower rows of the array takes 0(n + 
Ag + 7) multiplications. Hence for the whole array, it takes 
0((n + Ag + 7)7). For the second phase iteration, note that 
the maximum degree of the polynomials in the vector form of 
yil/j is (Ag + 27 — 2)/^. Hence the substitution operation for 
each row takes 0((n + Ag)(2g + 7V7). For the whole array, 
it is 0((n + Ag)(2g + -/)). 

If g > 0, then 7 < g, so an iteration in either of first 
phase and second phase takes 0((n + Ag)g) multiplications. 
Thus for iVjter number of iterations, it takes 0((n + Ag)(n + 
2g)g) multiplications. On the other hand, 7 = 1 for g = 0. 
Finally the dominant part of the computation of the initial basis 
is the computation of h v , which takes 0(n(n + 2g)) 
multiplications. □ 

IV. Examples 

In this section, we give some explicit examples illustrating 
our decoding algorithm. We implemented the algorithm in 
Magma 03). In particular, for the computation of yi and yi, 
HeB' algorithm [ 15 1 is heavily used as implemented in Magma. 
For the computation of rji, we used a custom FGLM algorithm 
Ifl6l . 

A. Two-Point Hermitian Code 

Let X be the Hermitian curve defined by 

y 3 + y = x 4 



x 



over Fg = Fa(a) with a 2 — a — 1 = 0. The genus of X is 
3. Let G = —O + 18Q where O is the origin and Q is the 
unique point at infinity. Except O and Q, there are 26 rational 
points 

(0,a 2 ),(0,a 6 ),(l,2),(l,a),(l,a 3 ),(2,2),(2,a), 
(2, a 3 ), (a, 1), (a, a 7 ), (a, a 5 ), (a 2 , 2), (a 2 , a), (a 2 , a 3 ), 
(a 7 , 1), (a 7 , a 7 ), (a 7 , a 5 ), (a 5 , 1), (a 5 , a 7 ), (a 5 , a 5 ), 
(a 3 , 1), (a 3 , a 7 ), (a 3 , a 5 ), (a 6 , 2), (a 6 , a), (a 6 , a 3 ). 

Then the AG code C = Cc(D, G) is a [26, 15, 9] linear code 
over Fg. 

The Weierstrass semigroup at Q is 

A = {0,3,4,6,7,8,9,...}. 
So 7 = 3, and we take x — x. The F[x] -basis of R is 

2/o = i, p(yo) = o, 
2/i = y, p(yi) = 4, 

2/2 = y 2 , p(2/2) = 8. 

On the other hand, 

A = {-15, -14, -12, -11, -10, -9, -8, -7, -6, -5, -4, 
-3,-2,-1,0,1,2,3,...} 

and the F[x] -basis of R is 

2/o = x, (5(j/ ) = -15, 
2/1 =y, <f(j/i) = -14, 
i7 2 = y 2 , 5(2/2) = -10. 

The F[x] -basis of J is 

'7o = (a; 8 - l)27o, 
??i = (x 9 - x)y x , 
??2 = (x 9 -x)y 2 . 
Using the above data, we can compute c?lo = 9 since 
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v{s) 
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-8 


17 


-1 


10 


-9 


18 


-2 


11 


-10 


19 


-3 


12 


-11 


20 


-4 


13 


-12 


21 


-5 


14 


-14 


23 


-6 


15 


-15 


24 


-7 


16 







The Lagrange basis for R is 

hi = (-x 8 + l)y 2 + (a 6 x 8 + a 2 )y, 
k 2 = (-x 8 + l)y 2 + (a. 2 x 8 +a 6 )y, 

^26 = (-x 8 + a 2 x 7 H h a 6 x)y 2 

+ (a 7 x 8 + a 5 x 7 H h ax)y 

+ ax 8 + a 7 x 7 H h a 3 x. 



Now suppose that the received vector is 

v = (0,0, 0,0, a 2 , -1,0, 0,0, 0,0, 0,0, 0,0, 0,0,0, 
a 3 , 0,0, 0,0, 0,-1,0) e Fg 6 . 
Then the six generators of the module are 

.90 = no, 

91 = Vu 

92 = T)2, 

fa = Vo(z - h v ), 
fi = Vi(z - h v ), 
h = Vi{z - h v ), 

where 

h v = (a 7 x 7 + 2x 6 + q 3 x 5 + a 7 x 4 + q 2 x 3 + a 7 x 2 + ax)y 2 
+ (a 2 x 8 + a 2 x 7 + a 6 x 5 + 2x 3 + x 2 + a 7 x)y 
+ x 8 + a 6 x 7 + a 5 x 5 + 2x 3 + a 6 x 2 + a 2 x. 

Since N — S(h v ) = 11, the initial basis of in (TT~8T > is a 
Grobner basis with respect to >n. Then we move on to the 
main iterative steps. In the first Pairing and Voting steps, the 
following data is computed: 

8 = 11 

i V Cj Wi 

~Q~2 2 a 7 

1 -2 a 7 

2 1 -2 a 7 

In the Rebasing step, the basis is updated to ( TT9b . which is a 
Grobner basis with respect to >io. Similar updates are iterated 
until s reaches to 0. The Grobner basis of I v (o) with respect 
to >o is (f20b . Now that s G A, s < 0, the algorithm goes 
into the second phase in which majority voting takes place. 
We listed in d22l) the data computed in the Pairing and Voting 
steps. For example, for s = 0, the winner w in the voting 
is 0. The basis after the final iteration is d2~Tl) . Note that the 
recovered message is G F 14 . 

B. Two-Point Code on the Klein Quartic 

The Klein quartic over F§ is defined by the equation 

y 3 + x 3 y + x = 0. 

The genus of the curve is 3. The curve has 24 rational points 
including two points Qi = [0 : 1 : 0], Q2 = [1:0:0] at 
infinity. Let G = —Qi + 19Q2 and Q = Q\, The Weierstrass 
semigroup at Q is 

A = {0,3,5, 6,7,8,...}. 
Hence 7 = 3, and we take x = y. Then 

2/0 = 1, p(vo) = 0, 

2/1 = yx 2 , p(yi) = 7, 
2/2 = yx, p(y 2 ) = 5. 

We find that 

A = {—17, —14, —13, —12, —11, . . .} 
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27o=x 2 /y 8 +x/y 5 , 5(y a ) = -12, 
m = x/y 9 + 1/y 6 , 5^) = -17, 
2/2=x 2 /y 6 , 5(y 2 ) = -13. 

The ¥[x] -basis of J is 

Vo = (x 7 + l)yo, 
m = (x 7 + 1)2/1, 
92 = (x 8 + x)y 2 . 
Note that we have d^o = 5 since 
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Indeed the code C — Cc{D, G) is [22, 16, 5] linear code over 
F g . So the decoding algorithm corrects errors up to half of the 
minimum distance. 



Now let us see what happens if we take Q = Q 2 - As the 
code Cc(D,G) itself is independent of the choice of Q, we 
obtain the same linear code. Incidentally A does not change, 
and we have the same 7 = 3, but we should take x = x/y, 
and 

2/o = i, p(yo) = o, 

2/1= x/y 3 , p( yi )=7, 
2/2= x/y 2 , p(y 2 )=5. 

On the other hand, we have different 

A = {-16,-14,-13,-12,-11,...} 

and 

y =x/y 3 , % ) = -12, 
?7i=x/y 2 , 5( yi ) = -U, 
2/2= x/y, 5(y 2 ) = -16. 

This time the ¥[x] -basis J is 

?7o = (x 8 +x)y , 

91 = O 7 + 1)2/1, 

92 = (x 7 + l)|/2, 
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Thus we have c?lo = 4 this time. This example shows that 
the performance of our decoding algorithm indeed depends on 
the choice of Q in a subtle way. 

C. Two-Point Code on a Suzuki Curve 
Let us consider the Suzuki curve 

y 8 - y = x 2 (x 8 - x) 

over Fg. The genus of the curve is g = 14. This curve has 
65 rational points including one cusp at infinity. Let G = 
15(9 + 24Q where O is the origin and Q is the unique place 
at the cusp. Let D be the sum of other 63 rational points. 
Then the code Cc(D, G) is a [63, 26, > 25] linear code over 
Fg with the best known minimum distance for codes of length 
63 and dimension 26 over Fg ifTTI . We have c?lo = 25. 

Recall that n = 63, g = 14, and 7 = 8. The maximum 
degree of the polynomials in the vector forms of hi is 7 
(Nh = 11). The maximum degree of the polynomials in the 
vector forms of rji is 8 (N v = 9). In an experiment with 10 5 
instances of decoding random errors of weight 12, the decoder 
performed at most 82 (A^ter = 91) iterations with an 16 x 16 
matrix of univariate polynomials at most 13 (A^og = 16) 
degree over Fg. It took 0.0397 second to decode one instance 
on Macbook Pro, taking 0(151606) multiplications according 
to Proposition l20l 

D. Two-Point Reed-Solomon Code 

The projective line over ¥§4 is a curve with genus whose 
function field is the rational function field Fg4(a;). It has 65 



rational points including the point at infinity. Let G = — O + 
39Q where O is the origin and Q is the point at infinity. Let 
D be the sum of the remaining rational points. Then the code 
Cc{D, G) is a [63, 39, 25] two-point Reed-Solomon code over 
F 64 . We have d LO = 25. 

Note that n = 63, .9 = and 7 = 1. The maximum degree 
of the polynomials in the vector forms of hi is 62 = Nh. The 
degree of the polynomial in the vector form of 770 is 63 = 
N v . In an experiment with 10 5 instances of decoding random 
errors of weight 12, the decoder performed at most 63 = iVjter 
iterations with 2x2 matrix of univariate polynomials at most 
63 = iVdeg degree over ¥$4. It took 0.0039 second to decode 
one instance, taking 0(3969) multiplications. 

V. Remarks 

We presented a unique decoding algorithm that can decode 
errors up to half of the bound d^o- Beelen and H0holdt's 
algorithm in J8] is similar in approach to ours, and can decode 
up to half of their generalized order bound. Thus we can 
speculate that c£lo is related with the generalized order bound. 
Indeed it was shown in Q that the bound g?lo as defined in [5] 
coincides with the so-called Andersen-Geil bound ^ag EEl- 
The relationship between these bounds may be treated in a 
separate place. 

Geil and et al. Q also showed that by a slight modification, 
the algorithm in J5) can be turned to a list decoding algorithm. 
The same can be done with the present general algorithm, but 
we leave out the details. 
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